IT Outsourcing

IT outsourcing has been in a constant state of growth and has been reinforced as a common business strategy across the globe. With the COVID-19 pandemic, IT outsourcing has made remote work and virtual transactions convenient and feasible amid community lockdowns and quarantine protocols imposed by national governments.

In the Philippines, IT outsourcing typically includes software applications services, data centre operations, help desk support, network operations and disaster recovery.

Robotic Process Automation and Chatbots

Robotic process automation (RPA) and chatbots remain widely used tools in business process automation. In an RPA system, an action list is developed by the system. By watching the user perform certain tasks, automated activities ensue after a set of demonstration actions by the user. Through chatbots, a software application aided by natural language processing, the system is able to understand human speech and generate automated responses. Both RPA and chatbots use AI and machine learning capabilities to handle a high volume of repeatable tasks that humans were previously required to perform. Big companies in the Philippines, as well as government agencies in the public sector, such as the Central Bank of the Philippines (also known as Bangko Sentral ng Pilipinas or BSP), are utilising these tools.

Cloud Computing Services

An emerging technology in the Philippines is the use of cloud computing services, where hardware and software are used to deliver a service over a network, such as the internet, and through which users can access files and use applications from any device. Depending on its purpose, users may adopt:

• Infrastructure as a Service (IaaS) for automated administrative tasks, dynamic scaling, platform virtualisation, and internet connectivity;
• Platform as a Service (PaaS) for application development; and
• Software as a Service (SaaS) for software and application delivery.

These services have proved to be a cost-effective and flexible means to mitigate data loss and foster easy collaboration between and among users.

The shift towards digital platforms in the Philippines more often than not requires the use of cloud computing, especially in companies in the telecommunications, IT and business process outsourcing industries.

Captives and Shared Service Centres

With regard to business process (BP) outsourcing, captives and shared service centres (SSCs) continue to provide an alternative to outsourcing to third-party vendors. Captives and SSCs have proved their ability to normalise operations and improve the efficiency of some processes. In a captive service model, a company uses a wholly owned subsidiary instead of a third-party vendor in order to maintain complete control over processes and delivery, as well as keep critical activities within the organisation. Philippine entities normally set up as SSCs of global companies such as JPMorgan Chase, Shell and Procter & Gamble.

IT-BP Outsourcing Companies

According to a growth forecast study for 2020–2022 commissioned by the IT and Business Process Association of the Philippines (IBPAP), with the economic turmoil caused by the COVID-19 pandemic, 71% of organisations have initiated cost-cutting measures. As companies around the globe prioritise business continuity plans, a re-evaluation of their operations in offshore locations, such as in the Philippines, India and South Africa, was necessary. These geographies were reported to have limited operational workforce and were found to be relatively slower to transition to remote delivery.

Particularly in the Philippines, IT-BP outsourcing establishments, which are considered to provide essential services, were allowed to operate – albeit via a skeleton staff – at the start of the pandemic, while other companies were constrained to either implement work-from-home arrangements or temporarily shut down their operations. As operational capacities were increased by the government in Q3 of 2020, IT-BP outsourcing companies were allowed to operate at 100%, with due regard to health and safety measures in the workplace. According to IBPAP, the IT-BP industry successfully navigated the pandemic, recording a 10.6% growth in revenue and a 9.1% growth in head count for 2021, compared to its 2020 figures. These appear to have surpassed the forecast conducted by IBPAP in December 2020, where it was shown that the Philippines’ IT-BP industry had the potential to grow by a compound annual growth rate of 5.5% in revenue and 5.0% in head count from 2020 to 2022.

As community quarantine restrictions eased up, and more workers returned to the office, IT-BP outsourcing companies transitioned to hybrid working schemes with video-conferencing applications being accepted industry-wide. In fact, many employers are now considering permanently implementing alternative work schemes to accommodate company-wide remote work. Some companies, however, await regulation by the Philippine Economic Zone Authority (PEZA) and such other government agencies which cater to economic zones in the country, whose issuances mandate working on site.

The developments in new technology emerging in the Philippine IT and BP outsourcing industries require less manpower but generate higher revenue for the companies involved in the process of automation. Tasks which usually involve calculations, maintenance of records, and repetitive and rule-based activities which have previously been done by employees, are simulated and delivered automatically by machines with RPA, chatbot and other capable software, and AI. Nonetheless, with these new technologies on the rise, there is conversely an increase in the complexity of work and demand for the development of new product and innovation strategies, calling for collaborative delivery of technology and human involvement.

Blockchain and Smart Contracts

The developments in technology have likewise brought blockchain and smart contracts into the Philippine jurisdiction. Considering the capabilities introduced by blockchain technology, there may be a wider adoption of the same in commercial applications and transactions, especially with the prevalence of online banking and the use of e-wallets. Financial institutions, in particular, have begun to assess which of their processes can leverage the use of blockchain technology as a solution to eliminate friction and ensure security within the business. However, this technology remains a relatively new concept in public policy in the Philippines, as government agencies strive to embrace its capabilities in order to come up with appropriate regulations.

Philippine Digital Workforce Competitiveness Act

At any rate, the Philippine government has begun to recognise the rapid acceleration of digitalisation and advances in technology across industries and sectors. On 30 July 2022, Republic Act No 11927 or the "Philippine Digital Workforce Competitiveness Act" was promulgated, which aims to enhance the skills and competitiveness of the Philippine workforce and ensure that Philippine workers have access to, and are provided with, digital skills and competencies that are on a par with global standards. The Act also constitutes an Inter-agency Council, which formulates digital technology and skills roadmaps for evolving professional areas, including engineering and cloud computing, data and AI.

In this jurisdiction, technology transactions, such as those employing AI, robotics, blockchain, cryptocurrency, financial technologies, etc, are continuously being studied by the government in order to implement legal and regulatory restrictions for their specific use. Nonetheless, current statutes – including the Civil Code, Intellectual Property Code and Revised Penal Code – and regulations, such as issuances from the Central Bank of the Philippines and Anti-money Laundering Council, regulatory manuals for banks and financial institutions, etc, generally apply to these transactions. Moreover, Republic Act No 10175, or the "Cybercrime Prevention Act of 2012", likewise addresses all types of offences committed against and by means of a computer system, such as illegal access interception, data and system interferences, and the misuse of devices. Civil, administrative and criminal liability may then arise to the extent that the technology applied can be explained by experts.

As regards outsourcing, Articles 106 to 109 of the Labour Code and its implementing rules, Department of Labour and Employment (DOLE) Department Order No 174 series (“DO 174”) of 2017, provide the rules on contracting, including the rights and obligations of the parties to this arrangement and restrictions on the exercise of such rights.

Contracting Arrangements under DO 174

DO 174, which amended the Rules Implementing Articles 106 to 109 of the Labour Code, applies to “an arrangement whereby a customer agrees to put out or farm out with a contractor or subcontractor the performance or completion of a specific job, work, or service within a definite or predetermined period, regardless of whether such job, work, or service is to be performed or completed within or outside the premises of the principal”. This involves a trilateral relationship among: 

• the principal (or customer), who decided to farm out a job, work or service to a contractor; 
• the contractor (or supplier), who undertakes the performance of the job, work or service; and 
• the employees of the contractor, who accomplish the job, work or service.

In a contracting arrangement governed by the Labour Code, no employer-employee relationship exists between the customer and the employees of the supplier, provided the supplier complies with the requirements of law and is considered a legitimate independent contractor. 

A contracting arrangement is considered legitimate if the following requirements are complied with: 

• the contractor is registered in accordance with existing regulations;
• the contractor or subcontractor is engaged in a distinct and independent business and undertakes to perform the job or work on its own responsibility, according to its own manner and method;
• the contractor or subcontractor has substantial capital to carry out the job farmed out by the principal on its account, and has the manner and method, and investment in the form of tools, equipment, machinery and supervision;
• in performing the work farmed out, the contractor or subcontractor is free from the control and/or direction of the principal in all matters connected with the performance of the work, except as to the results thereof; and
• the service agreement ensures compliance with all the rights and benefits of all the employees of the contractor or subcontractor under the labour laws.

DO 174 prohibits a labour-only contracting arrangement, which is defined as an arrangement where:

• the supplier does not have substantial capital or investments in the form of tools, equipment, machinery and supervised work premises, among other things, and the contracted employees are performing activities which are directly related to the main business operations of the customer; or
• the supplier or subcontractor does not exercise the right of control over the performance of the work of the employee.

In a labour-only contracting arrangement, the customer is considered to be the direct employer of the supplier’s employees.

Exclusions from DO 174

It must be noted that certain critical industries are excluded from the scope of DO 174. The provisions of the Civil Code, on obligations and contracts, instead of the Labour Code, apply to these excluded transactions.

On 9 June 2017, the DOLE Secretary issued DOLE Department Circular No 1, series of 2017 (“DC 1-17”), which clarified the non-applicability of DO 174 to certain industries and contractual relationships. The said issuance clarifies that DO 174 does not cover information technology-enabled services involving an entire or specific business process, such as: 

• business or knowledge process outsourcing (including call centre activities);
• legal process outsourcing;
• IT infrastructure outsourcing;
• application development;
• hardware and/or software support;
• medical transcription;
• animation services; or 
• back office support. 

Also excluded from the application of DO 174 are contractual relationships such as contracts of sale, lease, carriage, growing/growership, toll manufacturing, management, operation and maintenance. DO 174 also does not cover the contracting-out of jobs or work to a professional, or an individual with unique skills and talents who performs the job or work themselves for the principal.

DO 174 is likewise not applicable to the construction industry, private security agencies and banks (to a certain extent), as there are separate issuances governing these businesses, as explained below.

Security Services

Republic Act No 11917 or the "Private Security Industry Act", promulgated on 30 July 2022, amended Republic Act No 5487, which provides for the registration, licensing, and outsourcing of security services. DOLE Department Order No 150-16, series of 2001, entitled “Revised Guidelines Governing the Employment and Working Conditions of Security Guards and Similar Personnel in the Private Security Industry”, which implemented the old law, has yet to be updated. This issuance applies to private security agencies and their principals, to ensure that the rights of private security personnel meet the minimum benefits provided for by the Labour Code and other labour legislation.

Construction Services

As mentioned in 2.1 New Legal and Regulatory Restrictions on Technology Transactions or Outsourcing, the construction industry is excluded from the coverage of DO 174. The DOLE explained that the Philippine Contractors Accreditation Board (PCAB) registers all contractors. Moreover, the construction industry is already governed by the following laws and government issuances:

• Republic Act No 4566 or the "Contractors’ Licence Law" and its implementing rules;
• DOLE Department Order No 19, series of 1993 (Guidelines Governing the Employment of Workers in the Construction Industry);
• DOLE Department Order No 13, series of 1998 (Guidelines Governing Occupational Safety and Health in the Construction Industry); and
• DOLE-DPWH-DILG-DTI and PCAB Memorandum of Agreement-Joint Administrative Order No 1, series of 2011 (on co-ordination and harmonisation of policies and programmes on occupational safety and health in the construction industry).

Banking Functions

Under the Central Bank of the Philippines Manual of Regulation for Banks (MORB), inherent banking functions cannot be outsourced. These functions are defined as follows:

• taking deposits from the public;
• granting of loans and extension of other credit exposures;
• managing of risk exposures; and
• general management.

However, the MORB allows the outsourcing of banking functions to third parties or to related companies (ie, SSCs), provided that appropriate processes and information systems that can adequately identify and mitigate operational risks arising from the outsourced activities are in place. According to existing BSP regulations, these banking functions include “printing of bank loan statements and other non-deposit records, bank forms and promotional materials; credit investigation and collection; processing of export, import and other trading transactions; transfer agent services for debt and equity securities; property appraisal; property management services; messenger, courier and postal services; security guard services; vehicle service contracts; janitorial services; and such other activities as may be determined by the Monetary Board”.

With the rise of technology transactions, the MORB was updated to include the issuance and operation of electronic money through the use of e-wallets, stored value cards, and other similar products. Similarly, electronic money issuers (EMIs) are subject to the same BSP regulations as regular banks and financial institutions and are mandated to put in place systems which maintain accurate and complete records of e-money instruments, the identity of e-money holders, and the individual and consolidated balances thereof, and which can monitor the movement of e-money transactions. However, the susceptibility of a system to misreporting of transactions and balances is sufficient ground for imposition by the BSP of sanctions, as may be applicable.

Republic Act No 10173 or the "Data Privacy Act of 2012" (DPA) and its Implementing Rules and Regulations (IRR) govern the collection and processing of personal data by any natural or juridical person in the government or in the private sector, as either a “personal information controller” (PIC) or “personal information processor” (PIP). 

A PIC refers to a natural or juridical person, or any other body that controls the processing of personal data, or instructs another to process personal data on its behalf. On the other hand, a PIP refers to any natural or juridical person or any other body to which a PIC may outsource the processing of personal data or instruct the processing of personal data pertaining to a data subject.

General Criteria for Processing Personal Information

Section 11 of the DPA sets out the general criteria for the processing of personal information. It provides that processing is allowed, subject to compliance with the requirements of the DPA and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality. Personal information must be:

• collected for specified and legitimate purposes determined and declared beforehand, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
• processed fairly and lawfully;
• accurate, relevant and, where necessary for the purposes for which it is to be used in the processing of personal information, kept up to date; while inaccurate or incomplete data must be rectified, supplemented or destroyed, or its further processing restricted;
• adequate and not excessive in relation to the purposes for which it is collected and processed;
• retained only for as long as necessary for the fulfilment of the purposes for which the data was obtained or for the establishment, exercise or defence of legal claims, or for legitimate business purposes, or as provided by law; and
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected and processed, provided that personal information collected for other purposes may be processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods; and provided, furthermore, that adequate safeguards are guaranteed by said laws authorising the processing.

Lawful Processing of Personal and Sensitive Personal Information

The DPA also sets out the specific and separate criteria for the lawful processing of personal information and sensitive personal information. 

Under the DPA, cross-border sharing of data is allowed if consent is obtained and the following conditions are met.

• Data-sharing for commercial purposes, including direct marketing, must be covered by a data-sharing agreement, and:
1. the data-sharing agreement must establish adequate safeguards for data privacy and security, and uphold the rights of data subjects; and
2. the data-sharing agreement must be subject to review by the National Privacy Commission (NPC), on its own initiative or upon complaint of a data subject.
• The data subject must be provided with the following information prior to collection or before their data is shared:
1. the identity of the PICs or PIPs that will be given access to the personal data;
2. the purpose of data-sharing;
3. the categories of personal data concerned;
4. the intended recipients or categories of recipients of the personal data;
5. the existence of the rights of data subjects, including the right to access and correction, and the right to object; and
6. other information that would sufficiently notify the data subject of the nature and extent of data-sharing and the manner of processing.

Organisational, Physical and Technical Security Measures

Under Section 25 of the IRR of the DPA, PICs and PIPs must implement reasonable and appropriate organisational, physical and technical security measures for the protection of data.

As regards organisational security measures, the employer must designate a data protection officer who will be accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security. 

Likewise, the employer must implement a data protection policy that provides for organisational, physical and technical security measures, taking into account the nature, scope, context and purpose of the processing. The policy must incorporate the following:

• provision(s) ensuring that only personal data which is necessary for the specified purpose is processed;
• procedures limiting the processing of data, to ensure that it is only processed to the extent necessary for the declared, specified and legitimate purpose;
• procedures for the collection of personal data, including procedures for obtaining consent, where applicable;
• documentation and recording of the data processing system and activities; and
• management, supervision and training of employees as to the processing, handling, storing and accessing of personal data.

On the other hand, physical security measures refer to the following: 

• implementation of policies and procedures to monitor and limit access to and activities in the room, workstation or facility, including guidelines to proper use of and access to electronic media;
• designing of office space and workstations to provide privacy to anyone processing personal data; and
• security against natural disasters, power disturbance, external access, mechanical destruction of files and equipment, and other similar threats.

Finally, technical security measures refer to the policies aimed at protecting the employer's computer systems used in the processing and storage of personal data. These include maintenance of the confidentiality, integrity, availability and resilience of the processing systems and services. The employer must implement a policy regarding regular monitoring of the system for security breaches, reasonably foreseeable vulnerabilities in the computer network, and measures for taking preventative and corrective action against security incidents.

Penalties for Breach of Such Laws

The DPA imposes penalties of imprisonment and a fine for prohibited acts which include unauthorised processing of personal information, accessing personal information due to negligence, improper disposal of personal information, and processing of personal information for unauthorised purposes. NPC Circular No 2022-01, issued on 8 August 2022, prescribes guidelines on the imposition of administrative fines with respect to violations of the DPA by PICs and PIPs, depending on the gravity of the infraction. Violations of the general privacy principles in data processing and violations of any of the rights of a data subject, where the total number of affected data subjects exceeds 1,000, and repeated infractions, are considered grave infractions which are penalised with a fine of 0.5% to 3% of the PIC's or PIP’s annual gross income of the immediately preceding year. Violations of such principles and rights where the total number of affected data subjects is 1,000 or below, and a PIC’s failure to implement security measures or to notify affected data subjects of personal data breaches, are considered major infractions penalised with a fine of 0.25% to 2% of the PIC's or PIP’s annual gross income of the immediately preceding year. Other infractions, such as the PIC’s failure to register and to comply with any order, resolution or decision of the NPC, may be penalised with a fine of PHP50,000 to PHP200,000.

In this jurisdiction, the standard supplier–customer contract between the principal and its supplier is the service agreement. Under DO 174, the service agreement must ensure compliance with all the rights and benefits of all the employees of the supplier under the law. Moreover, under Section 11 (b) of DO 174, the agreement should contain the following information:

• a specific description of the contracted job or work;
• the term or duration of service;
• the place of work;
• terms and conditions governing the contractual arrangement;
• the agreed amount of contracted work;
• an administrative fee of not less than 10% of the total contract cost; and
• provision of the issuance of the bond(s), which the customer may require from the supplier.

Aside from entering into contracting arrangements with service contractors, Philippine companies have also tried other approaches which suit their business needs, one of which is multi-sourcing. In this arrangement, companies engage various service providers instead of having only one service provider handle the whole business process. This lets companies choose the best service provider for a specific function or service. This likewise helps promote healthy competition among the service providers.

Conversely, some companies enter into a joint venture with other companies for a new project or a business activity. In this arrangement, an association of persons or companies jointly undertake some commercial enterprise, generally contribute assets and share risks.

Captives and SSCs

In the Philippines, captives and SSCs make up a significant part of the IT-BP outsourcing industry, having generated millions of jobs and revenues over the past few years, as intra-group services include administrative, human resources, finance, IT, management, marketing, and research and development, among others. According to a benchmarking effort conducted by the Shared Services and Outsourcing Network (SSON) in 2022, SSCs in the Philippines provide an array of services to their clients, 50% to 79% of which entail master data management, peer-to-peer (P2P), procurement, record-to-report (R2R), order-to-cash (O2C), data and business analytics, and payroll services; while 22% to 49% entail workforce management, call centre, hire-to-retire, supply chain, cash management, intelligent automation, and statutory reporting. According to the SSON report, the top three business priorities of Philippine SSCs are digitalising data, leveraging automation platforms, and stabilising a hybrid work environment; while the top three skills priorities are process design/improvement, automation, and data management or analytics. With respect to automation, 39% to 58% of the SSCs recognise RPA, process mining, machine learning and AI as top priorities in the next year.

Given the technical skills and expertise required for the implementation of new technologies, digital transformation by Philippine companies for services, such as cloud computing, SaaS, IaaS and PaaS is similarly implemented through outsourcing agreements with third parties who specifically operate these technologies and/or provide support for their use. Particularly for cloud computing, contracts typically refer to an operating expense (OpEx) model with respect to billing, as the services entail a “pay per use” approach. As with many IT-BP companies, these service providers co-ordinate with internal IT units to ensure that service level agreements are complied with. 

In this jurisdiction, the "customer" in an outsourcing arrangement is the principal with whom the contractor (or supplier) has a contract. 

Aside from key performance indicators prescribed in the contract, contractual protections for the customer in an outsourcing arrangement include compliance with labour and social legislation, in terms of the wages and benefits of the supplier’s employees, for the purpose of avoiding joint and several liability with the supplier. This is because, even in cases of legitimate contracting, the customer is still jointly and severally liable for the unpaid wages and benefits of the employees. Thus, as a form of security, the customer may, pursuant to Article 108 of the Labour Code, require the supplier to furnish a bond equal to the cost of the labour under contract, on condition that the bond will settle the wages due to the employees should the supplier fail to pay the same. 

Furthermore, the customer may include the following stipulations in the service agreement: 

• submission of the employment contracts of the contractor’s employees to the principal;
• a condition that the consideration of the service agreement will only be paid after the supplier has paid in full all wages, salaries and other benefits due to the contractor’s employees and has made all the required contributions to the Social Security System, the Home Development Mutual Fund, the Employees Compensation Commission and Philippine Health Insurance System; 
• a provision that the supplier is responsible for controlling the means and method of how its employees perform the work, with the customer only having control as to the desired results, so as to avoid establishing an employment relationship between the customer and the supplier’s employees;
• a "free and harmless" clause whereby the supplier holds the customer free from any and all liabilities that may arise from the outsourcing arrangement (a stipulation on liquidated damages may also be included in the agreement); and 
• posting of a bond by the supplier which will settle the wages due to the employees should the supplier fail to pay the same.

With respect to remedies, as against the contractor, the customer may enforce the service agreement through arbitration or civil action, depending on the agreement between the parties. Conversely, if the employees file a case against the supplier and implead the principal, the latter may file a motion to dismiss on the grounds of lack of an employer-employee relationship.

The customer and the supplier may stipulate in the service agreement that either party will be able to terminate the contract with or without cause and after serving the other party with formal notice and the observance of an agreed-upon notice period. 

It is important to note, however, that under Section 13 of DO 174, in the case of termination of employment caused by the pre-termination of the service agreement not due to authorised causes under Article 298 of the Labour Code, the right of the supplier’s employees to unpaid wages and other benefits, including unremitted mandatory contributions, shall be borne by the party at fault, without prejudice to the solidary liability of the parties to the service agreement as may be provided by law.

When a person sustains an injury as a result of a breach of contract or a legal invasion of their rights, they are entitled to recover damages which are the pecuniary compensation, recompense or satisfaction for the injury sustained. The injured party is entitled to damages, which reasonably arise from the breach of contract (direct loss), and which were reasonably in the contemplation of both parties, at the time the contract was entered into, as the probable result of the breach (consequential or indirect loss).

In this jurisdiction, the courts award different kinds of damages which may be in the form of the following.

• Actual or compensatory damages – these contemplate adequate compensation for such pecuniary loss suffered by a person as they have duly proved. This includes the loss of what a person already possesses and the loss of a benefit that the person failed to receive because of the injury. Thus, this already compensates for direct and indirect losses. 
• Moral damages – these may be recovered if there is physical suffering, mental anguish, serious anxiety, besmirched reputation, moral shock, social humiliation or a similar injury which is the result of another person’s wrongful act or omission. 
• Nominal damages – these are adjudicated so that a person who has been violated may be vindicated or recognised, and not for the purpose of indemnifying them for any loss suffered by them. Note that nominal damages cannot co-exist with actual damages. 
• Temperate damages – more than nominal but less than actual damages, these may be recovered when there was in fact a pecuniary loss, but its amount cannot be established with certainty from the nature of the case. 
• Liquidated damages – agreed upon by the parties to a contract, to be paid in case of breach thereof. 
• Exemplary or corrective damages – imposed as a deterrent against socially deleterious actions. These are awarded in addition to moral, temperate, liquidated or compensatory damages. 

For corporations and other juridical entities, moral damages generally cannot be awarded since, unlike a natural person, they cannot experience physical suffering or such sentiments as wounded feelings, serious anxiety, mental anguish or moral shock. However, the Supreme Court has recognised that when a juridical person has a good reputation that is debased, resulting in social humiliation, moral damages may be awarded. In other words, a corporation or other juridical entity can be the offended party in a defamation case and it can recover moral damages.

In this jurisdiction, parties are free to establish stipulations, clauses, terms and conditions as they may deem convenient, provided that they are not contrary to the law, morals, good customs, public order or public policy. It is also standard that the law is deemed written into every contract. Thus, although a contract is the law between the parties, the provisions of positive law which regulate contracts are deemed written therein and these limit and govern the relations between the parties.

In this connection, the Labour Code and DO 174 are the governing laws and regulations on contracting arrangements, unless otherwise excluded by DC 1-17. Thus, deemed included in every service contract are Article 109 of the Labour Code and Section 9 of DO 174, which provide for solidary liability on the part of the customer and the supplier for the purposes of enforcing the provisions of the Labour Code and other social legislation, in cases of violation of any provision of the Labour Code, including the failure to pay wages.

The IRR of the DPA require that each PIC is responsible for the personal information under its control or custody, including information that has been transferred to a PIP, whether domestically or internationally. As such, it may use contractual or other reasonable means to ensure proper safeguards are in place; to ensure the confidentiality, integrity and availability of the personal data processed; to prevent its use for unauthorised purposes; and, generally, to comply with the DPA and applicable issuances of the NPC.

According to Section 44 of the said IRR, the outsourcing agreement between the PIC and the PIP should contain the following:

• the subject matter and duration of the processing; 
• the nature and purpose of the processing; 
• the type of personal data and categories of data subjects; 
• the obligations and rights of the  PIC; and 
• the geographic location of the processing. 

Furthermore, the contract should also state the following obligations on the part of the PIP: 

• to process the personal data only upon the documented instructions of the PIC, including transfers of personal data to another country or an international organisation, unless such transfer is authorised by law; 
• to ensure that an obligation of confidentiality is imposed on persons authorised to process the personal data; 
• to implement appropriate security measures and comply with the DPA, the Rules, and other issuances of the NPC; 
• not to engage another processor without prior instruction from the PIC – provided that any such arrangement ensures that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the processing; 
• to assist the PIC, by appropriate technical and organisational measures, and to the extent possible, fulfil the obligation to respond to requests by data subjects relating to the exercise of their rights; 
• to assist the PIC in ensuring compliance with the DPA, the Rules, other relevant laws, and other issuances of the NPC, taking into account the nature of processing and the information available to the PIP; 
• at the choice of the PIC, to delete or return all personal  data to the PIC at the end of the provision of services relating to the processing; provided that this includes deleting existing copies unless storage is authorised by the DPA or another law; 
• to make available to the PIC all information necessary to demonstrate compliance with the obligations laid down in the DPA, and allow for and contribute to audits, including inspections, conducted by the PIC or another auditor mandated by the latter; and
• to immediately inform the PIC if, in its opinion, an instruction infringes the DPA, its IRR, or any other issuance of the NPC. 

The above contract terms with respect to data security apply where the technology or outsourcing is cloud based. Section 4 of the DPA applies to the processing of all personal information and to any natural or juridical person, including PIPs, “who although not found or established in the Philippines, use equipment... located in the Philippines, or those who maintain an office, branch or agency in the Philippines”. Moreover, data processing refers to any operation performed upon personal data including its collection, recording, organisation, storage, and retrieval. Hence, the PIP which operates the cloud must install proper safeguards to ensure data security, such as multi-factor authentication, access limits, and encryption in use, in transit, and at rest. Nonetheless, in cloud computing, parties may follow a “shared responsibility model” where security in and of the cloud is allocated to the PIC and the PIP, typically with the PIP ensuring the security of how the data is stored, managed and processed, and with the PIC ensuring that its operational systems and network configurations are updated and secured to allow the proper control, access and use of the data.

Generally, an employer may carry out employee transfers within its organisation as an exercise of management prerogative, provided that it is reasonable and done in good faith.

Re-assignment or Transfer

In the context of outsourcing, DO 174 provides that where the termination results from the expiry of the service agreement, or from the completion of the phase of the job or work for which the employee was engaged, the latter may opt to wait to be re-assigned or transferred to another principal or customer within three months. Failure on the part of the supplier to provide new employment may cause the separation of the employee due to authorised cause under Article 298 of the Labour Code and will entitle the employee to payment of separation benefits as may be provided by law or in the service agreement.

"Floating Status"

Where the exigencies of the business compel the customer to reduce the supplier’s manpower dedicated to it, the affected employees of the supplier are usually placed on "floating status", whereby they do not lose their employment, but are subjected to a no work, no pay policy. Under prevailing jurisprudence, employees may be placed on floating status for a maximum of six months. Otherwise, they will have to be separated due to redundancy as a result of the superfluity of their functions or abolition of positions (as the case may be), paid at least one month's pay or a month's pay per year of service (whichever is higher), and given a prior separation notice at least one month before their separation.

Illicit Employment Arrangements

Under Section 6 of DO 174, other illicit forms of employment arrangements are declared prohibited for being contrary to the law or public policy. Under this Section, other practices, schemes or employment arrangements designed to circumvent the right of workers to security of tenure are also prohibited. In this regard, if the transfer of employees was done to circumvent the right of workers to security of tenure or their right to self-organisation, then the same may constitute an illicit form of employment arrangement under DO 174.

There is no explicit requirement under the law for an employer to consult its workers before outsourcing some functions, unless there is an applicable provision in a collective bargaining agreement.

However, as a matter of good faith, it is advisable for the customer to consult with the trade union or the workers' council, if there is one in the company, not necessarily to secure approval but to inform the union or council about the intended outsourcing, which may impact the employees. Under Article 267 of the Labour Code, “Any provision of law to the contrary notwithstanding, workers shall have the right, subject to such rules and regulations as the Secretary of Labour and Employment may promulgate, to participate in policy and decision-making processes of the establishment where they are employed insofar as said processes will directly affect their rights, benefits and welfare.” 

Jurisprudence requires that, pursuant to this provision, the employees should at least be informed (though their approval need not be secured) of programmes affecting their rights and welfare. Under Article 259 (c) of the Labour Code, it is likewise prohibited “to contract out services or functions being performed by union members when such will interfere with, restrain or coerce employees in the exercise of their rights to self-organisation”. This constitutes unfair labour practice in the Philippines.

It is well settled under case law that transfer of employees within the company is an inherent right of the management. Although an employee has a right to security of tenure, this does not give them a vested right to deprive the company of its prerogative to change their assignment to where they will be most useful. In a number of cases, the following reasons for the transfer of employees have been upheld by the Supreme Court: 

• transfer due to the standard operating procedure of the company;
• transfer due to business exigencies;
• transfer in accordance with predetermined and established office policy and practice;
• transfer to avoid conflict of interest;
• transfer occasioned by the abolition of a position; and 
• transfer pending investigation of irregularities.

For employees wanting to transfer to other outsourcing companies, it is industry practice for the new employer to require resignations from and a clearance issued by the previous employer before accepting the new employees. In these kinds of transfers, there is a valid separation from the old employer and an accepted offer of employment with the new employer.

The Telecommuting Act

Republic Act No 11165, or the "Telecommuting Act", allows an employer to implement a telecommuting programme (ie, work-from-home arrangement) on a voluntary basis, upon such terms and conditions as the employer and employee may mutually agree. However, the employer may not discriminate against the remote worker in terms of pay, workload, performance standards, and career development opportunities, among others, as compared with those working on site. The remote worker will likewise have the right to rest periods, regular holidays, overtime premiums, and such other benefits under the Labour Code and other labour legislation. Moreover, the employer must ensure that measures are taken to prevent the remote worker from being isolated from the rest of the working community in the company by giving them the opportunity to meet with colleagues on a regular basis, and allowing access to company information.

Hybrid Work Arrangements

Notably, Section 309 of Republic Act No 11534, or "Corporate Recovery and Tax Incentives for Enterprises", states that “a qualified registered project or activity under an Investment Promotion Agency administering an economic zone or Freeport shall be exclusively conducted or operated within the geographical boundaries of the zone or Freeport being administered by the Investment Promotion Agency in which the project or activity is registered”. As a result, establishments registered with economic zone authorities, such as PEZA, are generally required to operate on site, to avoid losing their fiscal incentives and privileges. However, the COVID-19 pandemic tempered these restrictions, in that PEZA allowed applications for a 70/30 hybrid work arrangement (70% on site/30% remote) from 1 April 2022 until 31 December 2022. To apply, the establishment must request a Letter of Authority (LOA) from PEZA on the basis of, among others, an attestation and documents detailing the hybrid work scheme (eg, a list of employees under the work-from-home arrangement and a list of laptops/equipment brought out of the economic zones) and the posting of a bond for all equipment deployed by the establishment to the homes of its employees, as may be required by the Fiscal Incentives Review Board.

In any case, DOLE Department Order No 237, series of 2022, provides that the employer must notify DOLE on the adoption of these work arrangements, by completing an Establishment Report Form and submitting the same, in print or digital copy, to the nearest DOLE field or provincial office having jurisdiction over the establishment and/or through their online filing system.